CNIL (France) - SAN-2024-004

From GDPRhub
Revision as of 11:00, 17 April 2024 by Nzm (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNIL - SAN-2024-004
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 4(11) GDPR
Article 6 GDPR
Article 14 GDPR
Article L. 34-5 CPCE
Type: Investigation
Outcome: Violation Found
Started:
Decided: 04.04.2024
Published: 09.04.2024
Fine: 525,000 EUR
Parties: HUBSIDE.STORE
National Case Number/Name: SAN-2024-004
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: nzm

The DPA imposed €525,000 to HUBSIDE.STORE for carrying out canvassing campaigns using personal data obtained via forms that were deceptive by design and did not allow the controller to collect valid consent.

English Summary

Facts

HUBSIDE.STORE (“controller”) has stores in France, Belgium, Spain, Portugal and Italy. In France, the controller carried out canvassing campaigns by telephone and SMS from prospect files purchased from two main data brokers, in order to promote the products it sold. The French DPA (“CNIL”) carried out an inspection at the controller’s premises in order to verify compliance with the GDPR and French Data Protection Act.

During this inspection, the CNIL discovered that, regarding commercial prospecting by SMS, the controller carried out these operations using prospect files purchased from data suppliers. These data suppliers collected the data of the persons concerned via entry forms for online competitions, in order to enable their partners to use them in their commercial prospecting.

The CNIL indicated that the forms accessible on the websites of the data suppliers were similar: beneath the fields enabling the person to enter their contact details was a “VALIDATE”, “I VALIDATE” or “I ANSWER QUESTIONS TO APPLY” button. Above or below this button, a text specified that by clicking on the button, the data subject declares that they have read the controller’s privacy policy and accepts that the data collected will be used to send them offers from the company’s partners. Hyperlinks were provided to access the privacy policy and the list of partners concerned. At the end of the text, it specified that if the data subject wishes to continue without receiving offers from the controller’s partners, they can click on a link in the text (“click here”).

The CNIL also pointed out that the form contains a hypertext link to a nominative lust of partners and not to categories of partners. However, the list did not mention HUBSIDE.STORE.

The controller also provided the CNIL with recordings of canvassing calls that they sent to Belgium in order to promote its stores there. The CNIL found that during these calls, the data subjects were only informed that the call had been recorded and that they could register with Bloctel.

The CNIL issued a decision regarding the legal basis for the commercial prospecting by SMS, by telephone, concerning the information delivered to the data subjects, and finally regarding the security measures implemented by the controller.

Holding

Preliminarily, regarding the cooperation mechanism, the CNIL considered that although the commercial canvassing operations were carried out exclusively from France, targeting French nationals, the controller transmitted recordings of canvassing calls to Belgium in order to promote its stores there. The CNIL added that the controller’s customer database contained all the customer data for HUBSIDE.STORE in Europe. Therefore, the CNIL found that the controller carried out cross-border processing and communicated the relevant information to the supervisory authorities concerned under Article 60(3) GDPR. None of the authorities raised any relevant and reasoned objection to the draft decision sent. Thus, under Article 60(6) GDPR they were deemed to have approved it.

Firstly, regarding the obligation to obtain consent from data subjects for commercial prospecting by electronic means (SMS), French national law, in particular Article L. 34-5 of the Postal and Electronic Communications Code (“CPCE”) establishes that consent is necessary for commercial prospecting by electronic means. Read in conjunction with Article 4(11) GDPR, an organization carrying out commercial canvassing by electronic means must collect the unambiguous, specific, free and informed consent of the data subject.

The CNIL added that that the forms used by the data suppliers did not allow data subjects to express a valid choice reflecting their preferences regarding the transmission of data for commercial prospecting purposes. The DPA found that the “VALIDATE”, “I VALIDATE” or “I ANSWER QUESTIONS TO APPLY’ button was highlighted by their size and color, which made it stand out from other information provided. The CNIL pointed out that the text used suggested the conclusion of the data subject’s journey rather than the transmission of data to partners. The location of the button also gave the impression that it must be clicked to complete the registration and take part in the competition.

On the other hand, the hypertext link which enabled data subjects to take part in the game without agreeing to the transmission of their data to partners was presented in the body of the text and in characters of a much smaller size. Therefore, it did not appear intuitive that it was possible to take part in the competition without clicking on one of the aforementioned buttons. Thus, the CNIL considered that the consent obtained was not unambiguous and free, violating Article L.34-5 CPCE and Article 4 GDPR.

Secondly, regarding the legal basis for the telephone canvassing, the CNIL considered legitimate interest and consent. On legitimate interest, the CNIL indicated that non-electronic commercial canvassing may be carried out in the basis of the controller’s legitimate interest if the processing does not infringe the rights and interests of the data subject. The controller must also take into account their reasonable expectations.

In the present case, the controller considered that the competition forms used did not enable the data subject to reasonably expect to receive commercial prospecting offers. The CNIL held that as the controller did not appear on the nominative list of partners to which the hyperlink in the form sent to, this exceeded the reasonable expectations of the data subjects. Therefore, the controller could not rely on legitimate interest.

On consent, the CNIL found that the forms implemented by the data suppliers did not enable valid consent to be obtained. Therefore, the CNIL considered that the controller did not obtain valid consent, and that there was no legal basis to the commercial canvassing operations by telephone.

Thirdly, regarding transparent information, the CNIL considered that in the present case, Article 14 GDPR applied to the controller as the data has not been collected by the controller itself. The CNIL held that the controller did not provide all the information required by Article 14 GDPR and did not offer the possibility to the data subject to obtain more complete information. Thus, the CNIL concluded that there was a breach of Article 14 GDPR.

Finally, regarding the security of processing, the CNIL indicated that under Article 32 GDPR, the controller must implement appropriate measures to ensure the confidentiality of data and prevent it from being processed unlawfully. The CNIL noted that the controller kept its customers’ personal data after the end of the contractual relationship without any intermediate archiving measures. However, the DPA decided that nothing established that persons would have access to said data without having a need to know. Therefore, the CNIL indicated that there was no breach of Article 32 GDPR.

The CNIL imposed a total fine of €525,000 on the controller: €200,000 for the infringement of Article L. 34-5 CPCE and €325,000 for the violation of Articles 6 and 14 GDPR.

Comment

This decision is in line with a few rulings handed down by the CNIL. See in particular:

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of restricted training no. SAN-2024-004 of April 4, 2024 concerning the company HUBSIDE.STORE

The National Commission for Information Technology and Freedoms, gathered in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Ms. Isabelle LATOURNARIE-WILLEMS and MM. Alain DRU and Bertrand du MARAIS, members;

Considering the end of the mandate of Mr. Alexandre LINDEN, which occurred on February 1, 2024;

Having regard to deliberation no. 2024-015 of March 7, 2024 electing Mr. Philippe-Pierre CABOURDIN as president of the restricted formation of the National Commission for Informatics and Liberties;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Having regard to the postal and electronic communications code;

Having regard to law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 et seq.;

Considering Decree No. 2019-536 of May 29, 2019 taken for the application of Law No. 78-17 of January 6, 1978 relating to computing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Information Technology and Liberties;

Having regard to decision no. 2021-191C of June 29, 2021 of the President of the National Commission for Information Technology and Freedoms to instruct the Secretary General to carry out or have carried out a verification mission of the processing implemented by the company SFK GROUP, by its subsidiaries or on its behalf, in any place likely to be affected by their implementation;

Having regard to the decision of the President of the National Commission for Information Technology and Liberties appointing a rapporteur before the restricted panel, dated April 4, 2022;

Having regard to the report of Ms. Valérie PEUGEOT, commissioner rapporteur, notified to the company HUBSIDE.STORE on August 23, 2023;

Considering the written observations submitted by the company HUBSIDE.STORE on September 29, 2023;

Having regard to the rapporteur's response to these observations, notified to the company on October 20, 2023;

Considering the closure of the investigation, notified to the company on November 22, 2023;

Considering the oral observations made during the restricted training session of December 7, 2023;

Considering the deliberation before the right of the restricted training n°SAN-2023-019 of December 14, 2023;

Having regard to the written observations submitted by the rapporteur on December 21, 2023;

Considering the written observations submitted by the company on December 28, 2023;

Considering the oral observations made during the restricted training session of January 18, 2024;

Considering the note for deliberation sent by the company on January 29, 2024;

Considering the other documents in the file;

Were present during the restricted training session:

- Ms. Valérie PEUGEOT, commissioner, heard in her report;

As representatives of the company HUBSIDE.STORE:

- […] ;

The company HUBSIDE.STORE having spoken last;

The restricted formation adopted the following decision:

I. Facts and procedure

1. The company HUBSIDE.STORE (hereinafter "the company"), whose head office is located at 23/25 avenue Kléber in Paris (16th), is a subsidiary of the company SFK GROUP. Its activity is the management of “HUBSIDE.STORE” stores, specializing in the retail trade of telecommunications equipment. As of May 31, 2023, the company employed 706 employees and had 97 stores, spread across France, Belgium, Portugal and Italy. Its turnover for the year 2021 amounted to approximately […] euros, for a net result of […] euros.

2. In order to promote the catalog of products sold in stores, the company carries out canvassing campaigns by telephone and SMS based on prospect files purchased from two main partners, the companies […] and […]. It indicated having sent approximately 1.4 million SMS messages between September 2020 and September 2021, and more than 220,000 between May 2022 and May 2023. Regarding telephone prospecting, the company indicated having made approximately 3.2 million calls between May 2022 and May 2023, to approximately 1.3 million prospects.

3. On September 23, 2021, a delegation from the National Commission for Information Technology and Liberties (hereinafter “the CNIL” or “the Commission”) carried out an inspection at the company's premises, in order to verify the compliance with the provisions of law no. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms (hereinafter "the Data Protection Act" or "law of January 6, 1978 as amended") and of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of personal data and the free movement of such data (hereinafter the “Regulation” or “GDPR”).

4. Report No. 2021-191/1, drawn up on the day of the inspection, was notified to the company on September 30, 2021.

5. The company communicated additional documents on October 5 and November 22, 2021.

6. For the purposes of examining these elements, the President of the Commission, on April 4, 2022, appointed Ms. Valérie PEUGEOT as rapporteur on the basis of article 22 of the law of January 6, 1978 as amended.

7. In accordance with Article 56 of the GDPR, on June 9, 2023, the CNIL informed all European supervisory authorities of its competence to act as lead supervisory authority regarding cross-border processing implemented by the company, resulting from the fact that the company's main establishment is in France. After discussions between the CNIL and the European data protection authorities as part of the one-stop shop mechanism, Italy, Spain, Portugal and Belgium declared themselves concerned.

8. On June 8 and July 13, 2023, the rapporteur sent two additional requests to which the company responded on June 23 and August 3, 2023.

9. On August 23, 2023, at the end of her investigation, the rapporteur notified the company of a report detailing the breaches of articles 6, 14 and 32 of the GDPR and article L. 34-5 of the code of Posts and Electronic Communications (hereinafter "the CPCE") which it considered constituted in this case. This report proposed to the restricted panel to impose an administrative fine against the company. He also proposed that this decision be made public.

10. On September 29, 2023, the company produced observations in response to the sanction report.

11. The rapporteur responded to the company's comments on October 20, 2023.

12. On November 22, 2023, the rapporteur, in application of III of article 40 of decree no. 2019-536 of May 29, 2019 taken for the application of the Data Protection Act, informed the company and the president of restricted training that the investigation was closed.

13. The same day, the company was informed that the file was included on the agenda for the restricted training on December 7, 2023.

14. The restricted panel held a session on December 7, 2023.

15. By preliminary deliberation No. SAN-2023-019 of December 14, 2023, sent by email to the company the same day and notified by post on December 21, 2023, the restricted panel requested the company HUBSIDE. STORE and the rapporteur the production of a complementary document, mentioned by the company during the meeting of December 7, 2023.

16. On December 21, 2023, the rapporteur communicated to the restricted panel a document entitled “leads_701_23-09-2021 […]”.

17. On December 28, 2023, the company communicated to the restricted panel a document also entitled “leads_701_23-09-2021 […]”.

18. Pursuant to article 41 of decree no. 2019-536 of May 29, 2019, a summons to the restricted training session of January 18, 2024 was notified to the company HUBSIDE.STORE on December 21, 2023;

19. The rapporteur and the company presented oral observations during the restricted training session.

II. Reasons for decision

A. On the appointment of the rapporteur

20. Under the terms of article 39 of decree no. 2019-536 of May 29, 2019, "when a measure provided for in III of article 20 of the law of January 6, 1978 […] is likely to be pronounced , the president of the commission appoints a rapporteur who does not belong to the restricted group, and informs the data controller or the subcontractor in question.

21. The restricted formation notes that in application of these provisions, the president of the CNIL has, by decision of April 7, 2022, designated Ms. Valérie PEUGEOT, commissioner, to draw up the report to enable the restricted formation to adopt its decision as part of the file “CTX n°2022-019 HUBSIDE.STORE”.

22. During the meeting of December 7, 2023, then as part of its observations of December 28, 2023, the company HUBSIDE.STORE invoked the nullity of this designation, to the extent that it would have taken place on the basis of a referral not concerning the company HUBSIDE.STORE.

23. The restricted panel notes that on July 1, 2020, the CNIL was notified of a complaint no.[...] targeting several companies in the SFK group.

24. By decision no. 2021-191 of June 29, 2021, the president of the CNIL instructed the secretary general to carry out or have carried out a verification mission of the processing implemented by the company SFK GROUP or by its subsidiaries.

25. The control report dated September 23, 2021 indicates that “the purpose of the control mission is to carry out on-site verification of the conformity of the processing of personal data implemented by the company SFK GROUP or by its subsidiaries and in particular the companies […] and […]". It specifies that “in particular, it was a question of carrying out verifications subsequent to the closings of May 4, 2021 of the formal notices MED n°2020-041 of November 24, 2020 against the company […] and MED n°2020-042 of November 24, 2020 against the company…]; it also involved following up on the referral […] relating to the exercise of his right of access by a complainant” .

26. The restricted panel considers that, to the extent that the referral [...] gave rise to checks carried out during the on-site inspection on September 23, 2021, which targeted the SFK group and all of its subsidiaries, of which the company HUBSIDE.STORE, the fact that this referral is mentioned in the decision of the president to appoint Ms. Valérie PEUGEOT as rapporteur has no impact on the validity of this designation, even if said referral does not specifically target the company HUBSIDE.STORE .STORE.

B. On the European cooperation procedure

27. Under Article 4(23)(b) of the GDPR, “cross-border processing” means “processing of personal data which takes place in the Union in the context of the activities of a single establishment of 'a controller or a processor, but which materially affects or is likely to materially affect data subjects in more than one Member State.'

28. The rapporteur notes that the company has stores in France, but also in Belgium, Spain, Portugal and Italy. It observes that, although the company indicated that its commercial prospecting operations were carried out exclusively from France, intended for French nationals, it nevertheless transmitted recordings of prospecting calls intended for Belgian nationals, with the aim of to promote its stores located in Belgium. Furthermore, the rapporteur notes that the company also indicated that its customer database contained all the data of customers of HUBSIDE.STORE stores in Europe. It considers that, therefore, the company implements cross-border processing of personal data.

29. In defense, with regard to commercial prospecting operations by telephone, the company states that it only carries out prospecting with individuals domiciled in France, in order to generate traffic in its points of sale located in France. Regarding the recordings of calls to Belgian nationals transmitted to the delegation, it specifies that "HUBSIDE.STORE Belgium, the lead entity carrying out the activities of HUBSIDE.STORE in Belgium, does not have staff dedicated to animation Also, for telephone or SMS prospecting operations carried out with the aim of generating traffic in points of sale located on Belgian territory, HUBSIDE.STORE Belgium was able to subcontract this prospecting activity to SFAM using the services of the French commercial platforms of this company From then on, the teams responsible for prospecting were provided with access to a Belgian prospecting file, acquired from HUBSIDE.STORE Belgium.

30. Firstly, with regard to commercial prospecting operations by telephone covered by the breach of Article 6 of the GDPR, the restricted training notes that this breach is based on the design of forms implemented by data brokers not providing the company HUBSIDE.STORE with data from French nationals only. Under these conditions, despite the company carrying out cold calling for Belgian nationals, the restricted panel considers that the processing concerned by the breach of Article 6 of the GDPR does not constitute cross-border processing.

31. Secondly, with regard to the recordings of telephone prospecting calls covered by the breach of Article 14 of the GDPR, the restricted panel notes that the latter target French nationals but also Belgian nationals, in order to promote stores located in Belgium. Thus, the cross-border nature of the processing appears characterized.

32. Third and last, the company indicated that its customer database, targeted by the breach of Article 32 of the GDPR, contained customer data from all HUBSIDE.STORE points of sale in Europe. The restricted training therefore considers that the management of this database constitutes cross-border processing within the meaning of Article 4, paragraph 23, of the GDPR.

33. Pursuant to Article 60(3) of the GDPR, the draft decision adopted by the restricted panel was transmitted to the other competent European supervisory authorities, with a view to enabling them to make relevant and reasoned objections on the processing and breaches which concern them, on February 20, 2024. The restricted panel notes that the following supervisory authorities are concerned by this procedure: Belgium, Italy, Spain, Portugal.

34. As of March 20, 2024, none of these authorities had formulated a relevant and reasoned objection to this draft decision, so that, pursuant to Article 60(6) of the GDPR, these the latter are deemed to have approved it.

C. On the failure to comply with the obligation to obtain the consent of the persons concerned for the implementation of commercial prospecting by electronic means

35. Under the terms of article L. 34-5 of the CPCE, “direct prospecting by means of an automated electronic communications system […], a fax machine or e-mails using the contact details of a natural person is prohibited […] who has not previously expressed consent to receive direct marketing by this means For the purposes of this article, consent means any manifestation of free, specific and informed will by which a person accepts that data. of a personal nature concerning it are used for the purpose of direct prospecting […] ".

36. Under the terms of Article 4(11) of the GDPR, “consent” of the data subject means “any free, specific, informed and unambiguous expression of will by which the data subject accepts, by a declaration or by a clear positive act, that personal data concerning them are subject to processing".

37. In application of the combined provisions of articles L.34-5 of the CPCE and 4, paragraph 11 of the GDPR, the organization which carries out commercial prospecting operations by electronic means must have unambiguous, specific, free and informed of the persons concerned.

38. The rapporteur notes that the company has indicated that it carries out commercial prospecting operations by SMS using prospect files purchased from data brokers. It observes that the findings made by the delegation made it possible to establish that these brokers collected the data of the persons concerned via participation forms in online competitions.

39. To propose to the restricted panel to consider that the company has failed to comply with its obligations resulting from article L. 34-5 of the CPCE, as clarified by the provisions of article 4, paragraph 11 of the GDPR, the rapporteur is based on the fact that the design of these forms does not allow users to demonstrate their consent by a clear and unambiguous positive act, and strongly encourages them to accept the transmission of their data to the company's partners for purposes prospecting.

40. In defense, the company relies on the terms of the contract linking it to one of its suppliers, the company […], believing that it cannot be held responsible for the non-compliant actions of its service provider. Regarding the other supplier, the company […], it indicates that it did not have any contractual relationship with it before November 2021 and that the majority of files received came from the company […], completed by contributions from the company […] itself using a network of subcontractors including the company […].

41. In this case, it appears from the instruction that the company HUBSIDE.STORE carries out commercial prospecting operations by SMS based on prospect files purchased from data providers, responsible for collecting the consent of the persons concerned at the time of data collection. Between September 2020 and September 2021, 1,363,773 prospecting SMS messages were sent. The number of shipments between May 2022 and May 2023 amounts to 221,206.

42. Firstly, with regard to the company […], the restricted panel notes that during the inspection on September 23, 2021, the company indicated that “prospecting SMS messages relating to the catalog of the company HUBSIDE.STORE are sent to the prospects provided by the company […] because the latter is able to target prospects close to the stores". On this occasion, an extraction of 5,000 prospect files provided by the company […] was carried out. Furthermore, the company provided the delegation with two purchase orders from the company […], dated August 3, 2021, relating to the sale of several tens of thousands of files to the company HUBSIDE.STORE.

43. These elements lead the restricted panel to consider that the company HUBSIDE.STORE was indeed using, on the day of the inspection, the prospect files delivered by the company […].

44. Secondly, the restricted training recalls that when the prospects' data have not been collected directly from them by the prospecting organization, consent may have been obtained at the time of the initial collection of the data by the prospecting organization. first-time collector, on behalf of the organization which will carry out subsequent prospecting operations. Failing this, it is up to the prospecting organization to obtain such consent before carrying out prospecting acts (CNIL, FR, November 24, 2022, Sanction, n°SAN-2022-021, published).

45. As a result, in its capacity as data controller, the company HUBSIDE.STORE is required to verify itself that the conditions allowing it to carry out commercial prospecting operations are met. In this regard, the restricted training held the responsibility of an organization by considering that a simple contractual commitment from its data broker to respect the GDPR and the rules applicable to commercial prospecting did not constitute a sufficient measure (CNIL, FR, November 24, 2022, Sanction, No. SAN-2022-021, published).

46. Thus, with regard to the contractual commitments of the company [...] which the company HUBSIDE.STORE relies on, the restricted panel considers that the contractual obligations that may be imposed on suppliers cannot exempt the company HUBSIDE.STORE from its liability in as data controller, despite the possible existence of supplier liability.

47. Thirdly, the restricted panel recalls that the specific consent required by the provisions of Article L. 34-5 of the CPCE can only result from express consent from the user, given in full knowledge of the facts after adequate information on the use that will be made of their personal data. It is therefore necessary to ensure that the persons concerned have given unequivocal, specific, free and informed consent when collecting their personal data via competition participation forms.

48. The restricted training notes in this regard that the work carried out on the practices implemented in terms of cookies with regard to banners for collecting consent can usefully serve to assess in a more general way the conditions for collecting free consent , unambiguous, specific and informed, and serve as a reference in matters of commercial prospecting when it is based on the collection of consent.

49. Furthermore, on the same conditions of consent, the Court of Justice of the European Union (hereinafter "CJEU") specified, in its Planet49 GmbH decision: "Article 7, sub a) of the Directive 95 provides that the consent of the data subject can make such processing lawful as long as this consent is "undoubtedly" given by the data subject. However, only active behavior on the part of this person with a view to manifesting his consent is. nature to fulfill this requirement” (CJEU, Grand Chamber, October 1, 2019, Planet49 GmbH, C-673/17, ECLI:EU:C:2019:801, §54). Therefore, it should be considered that if consent is not given without doubt, it must be considered as lacking, which makes the processing illegal for lack of legal basis. More precisely on the methods of collection, the CJEU states that "the manifestation of will referred to in Article 2(h) of Directive 95/46 must, in particular, be "specific", in the sense that it must relate precisely to the data processing concerned and cannot be inferred from a manifestation of will having a distinct object. In this case, contrary to what Planet49 argued, the fact of a user activating the button. participation in the promotional game organized by this company cannot therefore be sufficient to consider that the user has validly given consent to the placement of cookies” (Idem, §§ 58-59).

50. Furthermore, the Council of State held that "free, specific, informed and unequivocal consent can only be an express consent of the user, given in full knowledge of the facts and after adequate information on the use that will be made of his personal data " (CE, 10th and 9th chambers combined, June 19, 2020, Google LLC, no. 430810, pt. 21).

51. The restricted training also notes, by way of example, that guidelines 5/2020 on consent, adopted on May 4, 2020 by the "article 29" working group (now the European Data Protection Board, hereinafter "EDPS"), specify that the free nature of consent "implies a choice and real control for the data subjects. As a general rule, the GDPR provides that if the data subject is not genuinely able to exercise a choice, feels forced to consent or will suffer significant negative consequences if he or she does not give consent, the consent is not valid […] In general terms, any inappropriate pressure or influence exerted on the person concerned (which may manifest in different ways) preventing him from exercising his will will render the consent invalid.

52. By way of illustration and comparison, in its deliberation no. 2020-092 of September 17, 2020 adopting a recommendation proposing practical methods of compliance in the event of use of "cookies and other tracers", the Commission recommends that the organizations concerned ensure "that users take the full measure of the options available to them, in particular through the design chosen and the information provided (§ 10) […] In order not to induce mislead users, the Commission recommends that data controllers ensure that interfaces for collecting choices do not include potentially misleading design practices leading users to believe that their consent is obligatory or which visually highlight a choice rather than another It is recommended to use buttons and a font of the same size, offering the same ease of reading, and highlighted in the same way” (§ 34). She adds that it is necessary "to be careful that the information accompanying each actionable element allowing consent or refusal to be expressed is easily understandable and does not require efforts of concentration or interpretation on the part of the the user, it is particularly recommended to ensure that it is not written in such a way that a quick or careless reading could lead one to believe that the selected option produces the opposite of what the users expect. thought to choose” (§ 23). Otherwise, the unequivocal nature of the consent would not be characterized.

53. The restricted training also recalls that studies carried out on the practices of digital interfaces, in particular concerning cookies, note the considerable impact of the appearance of consent collection banners on the choice of users, which can encourage them to make choices that do not reflect their preferences on data sharing.

54. In this case, it appears from the documents in the file that the companies […] and […], suppliers of prospect data to the company HUBSIDE.STORE, collect the data of the persons concerned (surname, first name, title, address electronic mail, mobile telephone number, date of birth and postal address) via participation forms in online competitions, in order to allow their partners to use them as part of their commercial prospecting.

55. Regarding the findings made by the delegation during the inspection, the restricted panel notes that the forms accessible from the websites […], […], […] and […] are presented in a similar manner. Under the fields allowing the persons concerned to enter their contact details (which are requested by the formulas "fill in your details below in case of winning" or "fill in your details below to apply") is located a button "VALIDATE ", "I VALIDATE" or "I ANSWER THE QUESTIONS TO APPLY". Above or below this button, a text specifies that by clicking on it, the user declares to have read the company's data protection policy and accepts that the data collected will be used to send them offers. partners of the company. Hypertext links provide access to the data protection policy and the list of partners concerned. The end of the text specifies that if the user wishes to continue without receiving offers from the company's partners, they can click on a link present in the text ("click here").

56. Thus, the user confronted with this form can either click on a button allowing both to validate their participation in the game and to accept that their data is used to send them offers from the company's partners, or click on the “click here” link allowing you to continue without receiving these offers.

57. The restricted panel considers that as designed, the proposed forms do not allow data subjects to validly express a choice reflecting their preferences regarding the transmission of data for commercial prospecting purposes. The overall overview of the interfaces particularly highlights the "VALIDATE", "I VALIDATE" or "I ANSWER THE QUESTIONS TO APPLY" button which, by its size and color, stands out from the other information provided. Likewise, its title evokes more the conclusion of the user journey rather than a transmission of data to partners. Finally, its location gives the impression that it must be clicked to complete registration and participate in the competition. Conversely, the hypertext link allowing you to participate in the game without accepting the transmission of your data to partners is presented in the body of the text, in characters of a size significantly smaller than that used for the buttons and without any particular emphasis, so that it does not appear intuitive that it is possible to participate without clicking on one of the aforementioned buttons and therefore without transmitting your data to third parties for prospecting purposes. The consent obtained is therefore devoid of an unequivocal and free character.

58. The restricted panel also notes that, as part of its written observations relating to the breach of Article 6 of the GDPR, the company produced two other forms, presented as compliant. However, the restricted panel notes that their design does not allow the persons concerned to demonstrate their consent by a clear and unambiguous positive act.

59. On the one hand, the restricted panel observes that the presentation of these forms, like those consulted by the delegation during the on-site inspection, particularly highlights the "VALIDATE MY CONTACT INFORMATION" and "CONTINUE" button, to validate participation in the game and transmit data to partners. On the contrary, the hypertext link "click here" allowing you to participate in the game without accepting this transmission is presented in the body of the text, in characters of a size significantly smaller than that of the button and without any particular emphasis. In addition, the overall visual of the form accessible from the site […], which contains three green inserts (“I VALIDATE MY PARTICIPATION”, “I CONFIRM MY DETAILS FOR DELIVERY IN CASE OF WIN” and “VALIDATE MY CONTACT DETAILS”) leads us to believe that there is a logical sequencing between these three actions and that the “VALIDATE MY CONTACT INFORMATION” button is the last button to activate to participate in the game and obtain your winnings. However, this button is not obligatory since the user can use the aforementioned link "click here", which is not intuitive given the general appearance of the form.

60. In addition, with regard to the form implemented by the company […] from the site […], the restricted training notes the existence of two boxes to check, one concerning reading and acceptance of the rules of the game, the other reading the confidentiality policy and accepting the transmission of their data. The similar appearance of these boxes, presented as legal notices that must be read, and whose accompanying text begins with "I have read", pushes the user to check them indiscriminately, then to click on "CONTINUE" in transmitting its data. The possibility of participating in the draw without receiving promotional offers exists by clicking on the link "here" but is written in a smaller font and without emphasis compared to the "CONTINUE" button which, on the one hand, is particularly visible, by its size, its color and its font, on the other hand, seems to conclude the user journey due to its location at the bottom of the form. Thus, the optional nature of the “CONTINUE” button is not clearly deduced from the overall visual of the form.

61. On the other hand, the restricted training notes that an online check carried out on October 17, 2023 revealed that, given its configuration, the form referred to in the previous paragraph did not materially allow the user to participate to the game without accepting the transmission of their data to the company's partners, and therefore without being the recipient of commercial prospecting, contrary to what is indicated on the form.

62. The restricted panel thus considers that the above-mentioned forms do not sufficiently inform the persons concerned of the fact that they consent to the transmission of their data for commercial prospecting purposes, in a context where the very purpose of these sites web is to offer a prospect of earnings which cannot suggest the objective of long-term collection of this data for such purposes. These people are not able to demonstrate their consent by a clear and unambiguous positive act.

63. The restricted panel considers, under these conditions, that the company HUBSIDE.STORE does not have, to carry out its commercial prospecting operations electronically, valid consent within the meaning of articles L.34-5 of the CPCE and 4 of the GDPR.

64. A breach of article L.34-5 of the CPCE is thus characterized.

D. On the failure to comply with the obligation to process data lawfully

65. Under the terms of Article 6 of the GDPR, “1. Processing is only lawful if, and to the extent that, at least one of the following conditions is met:

a) the data subject has consented to the processing of his or her personal data for one or more specific purposes;

b) the processing is necessary for the performance of a contract to which the data subject is party or for the execution of pre-contractual measures taken at the request of the data subject;

c) the processing is necessary for compliance with a legal obligation to which the controller is subject;

d) processing is necessary to safeguard the vital interests of the data subject or another natural person;

e) the processing is necessary for the performance of a mission of public interest or relating to the exercise of public authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, unless overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular when the person concerned is a child.

66. The restricted training recalls that commercial prospecting actions by telephone calls can be carried out on the legal basis of the legitimate interest of the company (f) or on that of consent (a).

67. In this case, the company indicated that it carried out commercial prospecting operations by telephone, using prospect files purchased from several data providers.

68. The restricted panel notes that the company was not able, either in its written observations or in its oral observations during the session, to indicate precisely on what legal basis it was relying to carry out such processing. . Under these conditions, the two legal bases likely to be applicable in this case will be examined successively.

1) On legitimate interest

69. The rapporteur maintains that, to base its commercial prospecting operations by telephone, the company cannot rely on the legal basis of legitimate interest referred to in point f) of Article 6, paragraph 1 of the GDPR. It thus notes, with regard to the participation forms for online competitions through which the company [...] collects data from prospects which it resells to the company HUBSIDE.STORE, that the latter is not not systematically mentioned in the list of partners likely to approach the persons concerned, and that the latter cannot legitimately expect to receive commercial offers from this company.

70. In defense, the company relies on the contractual commitments of the company […], which provide that the company HUBSIDE.STORE must be mentioned among the recipients of the data collected. It considers that it cannot be held responsible for the shortcomings of its service provider, and produces an example of a form implemented by the company […] containing a URL link to a list of partners, including the company […] ] (a link to the latter's confidentiality policy allowing access to the complete list of companies belonging to the same group as […], including the company HUBSIDE.STORE). Finally, the company claims to implement regular checks relating to the conformity of the files delivered.

71. The restricted training recalls that, if commercial prospecting by non-electronic means can be carried out on the basis of the legitimate interest of the company, the latter must ensure that the processing does not conflict with the rights and interests of the persons whose the data is processed, taking into account their reasonable expectations.

72. In this regard, recital 47 of the GDPR provides that: “[…] the existence of a legitimate interest should be the subject of a careful assessment, in particular in order to determine whether a data subject can reasonably expect , at the time and in the context of the collection of personal data, that these are subject to processing for a given purpose The interests and fundamental rights of the person could, in particular, prevail. on the interest of the controller when personal data are processed in circumstances where the data subjects do not reasonably expect further processing […].

73. In the present case, the restricted panel notes that certain competition forms from which the company […] collects prospect data which it transmits to the company HUBSIDE.STORE do not allow the persons concerned to reasonably expect to receive commercial prospecting offers from this company.

74. Thus, with regard to the form accessible from the website […], the restricted panel observes that the latter contains a hyperlink referring to a nominal list of partners and not to categories of partners. Thus, the persons concerned can legitimately expect that this list of partners is exhaustive. However, said list does not mention the company HUBSIDE.STORE.

75. Concerning the forms present on the sites […] (this form referring to the site www.[...]) and […], the restricted training notes that they do not mention the list of partners or categories of partners to which the data may be transmitted, and that they also do not contain any link allowing access to such a list.

76. Moreover, with regard to the checks that the company claims to carry out on the forms from which the data are collected, the restricted training notes that it does not produce any element to attest to this, the contractual commitments of its suppliers do not not constituting a control measure as such.

77. The restricted panel considers that under these conditions, the protection of the interests, freedoms and fundamental rights of the persons concerned takes precedence over the legitimate interests of the company, and that the latter cannot therefore rely on the legal basis mentioned in Article 6, paragraph 1, f) to base its commercial prospecting operations by telephone.

2) On consent

78. The rapporteur considers that, to base its commercial prospecting operations by telephone, the company cannot rely on the legal basis of consent referred to in point a) of Article 6, paragraph 1, of the GDPR. It is based on the same arguments as those developed concerning the breach of article L.34-5 of the GDPR, with regard to the collection forms implemented by data providers.

79. In defense, the company relies on the terms of the contract concluded with the company […]. It takes note of the material findings but indicates that, if the breaches exist, they are representative neither of a desire to ignore its obligations, nor of generalized practices. In this regard, it provides two examples of collection forms implemented by its suppliers, which it considers to be compliant. Finally, it reports checks carried out on the files following their provision by the service provider and emphasizes the impossibility, given the volume of these files, of implementing a unitary check.

80. Firstly, the restricted panel recalls that, if the intentional nature of the violation must be taken into account to decide whether there is reason to impose a fine and to decide on its amount, it has no impact on the characterization of the breach, the latter possibly resulting from negligence. The same applies to the generalized nature or not of said breach.

81. Secondly, with regard to the methods of obtaining consent to telephone prospecting, the restricted panel considers that the forms implemented by the suppliers of the company HUBSIDE.STORE do not make it possible to collect valid consent, in the sense of Article 6, paragraph 1, point a) of the GDPR, as developed in points 47 to 63 of this deliberation with regard to electronic prospecting.

82. Third and last, with regard to the checks that the company claims to carry out on the files delivered, the restricted panel observes that the company does not produce any evidence to attest to this.

83. On the one hand, in its written observations of September 29, 2023, then in its oral observations during the meeting of December 7, 2023, the company mentioned a document entitled "leads_701_23-09-2021 […]", collected during on-site inspection and reporting, according to it, "checks of the prospecting files carried out following their provision by the service provider". By deliberation no. SAN-2023-019 of December 14, 2023, the restricted panel requested the rapporteur and the company to produce this document.

84. The restricted panel notes that the file produced by the rapporteur, the digital fingerprint of which attests that it is indeed the file from which the findings were made by the delegation during the inspection, does not contain any element of a nature to attest to the verifications relied upon by the company. In accordance with what is mentioned on the inspection report, this is a file of prospects (“leads”) delivered by the company […] to the INDEXIA group on September 23, 2021, containing the data of approximately 15,000 prospects. If, for each of these prospects, a URL link allowing access to the source of the data is present, the restricted training notes that no mention is made of verifications which could have been carried out by the company HUBSIDE.STORE or the INDEXIA group. During the meeting of January 18, 2024, the company indicated that it did not question the integrity of this part.

85. Regarding the file produced by the company, the restricted panel notes that it does not correspond to that collected during the inspection, insofar as its digital footprint and its size differ. It further notes that this difference is confirmed by its content since, contrary to the findings appearing in the minutes of September 23, 2021, it does not contain any prospect data but only URL links accompanied by comments ("ok", "only one check box", "disputed").

86. Finally, the restricted panel observes that the content of the file produced does not appear consistent with the purpose invoked insofar as the summary and undated comments which appear therein are not linked to any prospect sheet and that it is not Furthermore, it has not been demonstrated that the non-conformities identified would have been reported to the company […]. The restricted training thus considers that in any case, such a file does not make it possible to demonstrate the existence of checks carried out on the files delivered.

87. On the other hand, with regard to the other documents in the file, the restricted panel notes that they exclusively attest to requirements imposed by the company HUBSIDE.STORE on the company […], prior to the resumption of their contractual relations , without constituting controls by the company HUBSIDE.STORE on the subsequent practices of its service provider.

88. The restricted panel finally notes that the proportion of non-compliant files among those randomly examined by the delegation (i.e. four non-compliant files out of the seven examined) demonstrates the inadequacy of the measures taken by the company to ensure compliance. validity of the consent of the persons concerned.

89. Thus, the restricted panel considers that the forms referred to in this deliberation do not allow the company HUBSIDE.STORE to have valid consent from the persons concerned. It emphasizes that with regard to the forms produced by the company in its observations of September 29, 2023, the breach noted is persistent.

90. Therefore, in the absence of a legal basis allowing the company HUBSIDE.STORE to base its commercial prospecting operations by telephone, the restricted panel considers that a breach of Article 6 of the GDPR has occurred.

E. On the failure to fulfill the obligation of transparency and information of individuals

91. Article 14(1) of the GDPR lists the information to be communicated by the data controller to the data subjects when their personal data has not been collected from them, including the purposes of the processing and its legal basis.

92. Paragraph 2 of this same article provides that "in addition to the information referred to in paragraph 1, the data controller shall provide the data subject with "certain information" necessary to ensure fair and transparent treatment with regard to the data subject. concerned", in particular the rights they have, the retention period of the data, the source from which they come or even the right to lodge a complaint with a supervisory authority.

93. The rapporteur notes that people who are the subject of commercial prospecting by telephone from the company HUBSIDE.STORE (i.e. approximately 1.3 million French and Belgian prospects between May 2022 and May 2023) are not informed of all of the mandatory information provided for in the aforementioned article 14. It observes that, if prospects are well informed of the recording of the call as well as their possibility of opposing this recording and registering on Bloctel, all other information is not communicated to them, the persons concerned are also not offered the possibility of obtaining more complete information.

94. The company did not present any observations in defense on this point.

95. The restricted training recalls that, to the extent that the company has indicated that it carries out commercial prospecting by telephone based on files transmitted by its partners, this is a case of indirect collection, for which the information of the persons must be insured under the conditions defined in Article 14 of the GDPR.

96. She notes, for clarification, that the EDPS specifies, in his guidelines on transparency within the meaning of Regulation (EU) 2016/679, that if information at several levels is possible for greater clarity, he " recommends that the first level (i.e. the main way of first communicating with a data subject) generally communicates the most important information [...] For example, when the first contact with a data subject is by telephone , this information could be provided during the telephone call while the other information required under Articles 13 and 14 could be provided subsequently and by other means, including by sending a copy of the privacy policy by email and/or by sending the data subject a link to the online notice/statement of the controller on the protection of privacy at different levels. Regarding the obligation to provide information in a telephone environment, it is suggested to implement "oral explanations provided by a natural person allowing interaction, [of] questions requiring an answer, or [of] automated information or pre-recorded offering the option to hear other, more detailed information.

97. The restricted panel observes that it appears from the telephone recordings communicated by the company that the persons subject to telephone prospecting are only informed of the recording of the call and of the possibility of registering on Bloctel, without that no other information is communicated to them regarding the processing of their personal data.

98. The restricted training further notes that these people are not offered any possibility of obtaining more complete information, for example by activating a key on their telephone keypad.

99. Under these conditions, the restricted panel considers that the breach of Article 14 of the GDPR has been established.

F. On the failure to comply with the obligation to ensure data security

100. Under the terms of Article 32, paragraph 1 of the GDPR, "taking into account the state of knowledge, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks, the degree of probability and severity of which varies, for the rights and freedoms of natural persons, the controller and the processor implement appropriate technical and organizational measures in order to guarantee a level of security adapted to the risk [ …] "and in particular "means to guarantee the constant confidentiality, integrity, availability and resilience of processing systems and services" and a "procedure aimed at regularly testing, analyzing and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing".

101. The rapporteur notes that the company has indicated that it will keep the data of customers of its points of sale in Europe, i.e. 104,391 people in November 2021, for a period of five years from the date of closing of the contract, in accordance with the deadlines legal prescription, specifying that this data was kept in active database, without any intermediate archiving mechanism being implemented. The rapporteur considers that these storage arrangements do not make it possible to limit access to data to users with a need to know, to the extent that people with an interest in having access to this data during the duration of the contract continue, even after the end of the latter, to be able to access it without restriction for a period of five years, even though their functions no longer necessarily require them to know it.

102. In defense, the company indicates that each HUBSIDE.STORE store has its own customer database, and that sellers can therefore only access customer information from the store to which they are attached. Regarding support services, it confirms that they have access to all customer data from the HUBSIDE.STORE network. Furthermore, it does not dispute that at the end of the contractual relationship, no limitation of access occurs, and specifies that certain services, in particular after-sales service, are managed by the sellers themselves. Finally, she underlines, as part of her oral observations during the session of December 7, 2023, that the company HUBSIDE.STORE, although created in 2017, began to deploy its stores from the year 2021, and that no data has therefore been kept for five years.

103. The restricted training recalls that it follows from the provisions of Article 32 of the GDPR that the data controller must put in place appropriate measures to ensure the confidentiality of the data and prevent them from being processed unlawfully by persons who do not need to know (CNIL, FR, October 29, 2021, Sanction, n°SAN-2021-019, published).

104. This need to know is likely to evolve depending on the life cycle of the data and the purposes for which they are kept. Thus, during the phase of their current use, which corresponds to the duration necessary to accomplish the determined purpose, the data are kept on an "active basis" and accessible to all the services responsible for implementing the processing. At the end of this phase, when the data is no longer used to achieve the set objective but they still present an administrative interest for the organization (for example for the management of possible litigation) or must be kept to meet a legal obligation, they must be able to be consulted only on an ad hoc and motivated basis by specifically authorized persons, participating in the objective which justified this conservation, by being the subject of intermediate archiving. This intermediate archiving requires a separation from the active database, which can be physical (via a transfer of data within a dedicated archive database), or logical (via the implementation of technical and organizational measures guaranteeing that only people with an interest in processing the data due to their functions can access it).

105. The restricted panel notes that the company does not dispute retaining its customers' data at the end of the contractual relationship, without any intermediate archiving measure taking place. The restricted training recalls that the termination of contractual relations must lead to limiting access to data to certain employees due to their functions. However, the restricted panel considers that as it stands, the elements in the file do not make it possible to establish that people would have access to said data without needing to know it.

106. It follows from the above that the breach of Article 32 of the GDPR is not constituted.

III. On the issuance of corrective measures and publicity

107. Under the terms of article 20 of law no. 78-17 of January 6, 1978 as amended: "When the data controller or its subcontractor does not comply with the obligations resulting from regulation (EU) 2016/679 of 27 April 2016 or this law, the president of the National Commission for Information Technology and Liberties may [...] refer the matter to the restricted formation of the commission with a view to pronouncing, after adversarial procedure, one or more of the measures following: […] 7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the figure total global annual business of the previous financial year, the highest amount being retained. In the hypotheses mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased. , respectively, to 20 million euros and 4% of said turnover. The restricted body takes into account, in determining the amount of the fine, the criteria specified in the same article 83.

108. Article 83 of the GDPR provides that: "Each supervisory authority shall ensure that administrative fines imposed under this article for violations of this regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective , proportionate and dissuasive", before specifying the elements to be taken into account when deciding whether to impose an administrative fine and when deciding the amount of this fine.

109. Firstly, the restricted committee recalls that it must take into account, when issuing an administrative fine, the criteria specified in Article 83 of the GDPR, such as the nature, seriousness and duration of the violation. , whether the violation was deliberate or not, the measures taken by the controller to mitigate the damage suffered by data subjects, the degree of cooperation with the supervisory authority and the categories of personal data affected by the violation .

110. The restricted training emphasizes that the breaches committed by the company relate to obligations relating to the fundamental principles of the protection of personal data.

111. Thus, with regard to the collection of consent for prospecting purposes by electronic means, the restricted training emphasizes the fact that the ecosystem of the resale of data from partners to partners requires particularly strong guarantees as to the quality and to the validity of the consent obtained by the first data collector and which the partners rely on for commercial prospecting purposes. It emphasizes that in this regard, the organization which avails itself of such consent to carry out commercial prospecting operations assumes an essential responsibility requiring it, as data controller, to ensure that the conditions enabling it to carrying out said operations are combined, regardless of the possible liability of the data providers, primary collectors. In addition, it considers that the requirements must be particularly strengthened with regard to the methods of obtaining the consent of users of websites whose purpose is to offer prospects of earning, these people not necessarily being aware of the scope of their agreement as part of their registration. It also notes that the company massively uses electronic prospecting, - this having sent more than 1.3 million SMS messages between September 2020 and September 2021, and more than 220,000 between May 2022 and May 2023 -, and that such practices are likely to be experienced as particularly intrusive.

112. Regarding the failure to comply with the obligation to have a legal basis for processing prospects' data in the context of commercial prospecting by telephone, the restricted training recalls the importance, in the absence of collection of valid consent, to allow data subjects to measure the extent of the processing to which their data is likely to be subject. Thus, the fact that at the time of data collection, a detailed list of partners likely to carry out commercial prospecting operations is made available to the persons concerned, without the company HUBSIDE.STORE appearing there, and without this list is supplemented by a mention specifying the categories of partners to which the company HUBSIDE.STORE could be a part, deprives the persons concerned of the minimum base of information allowing them to preserve their interests, freedoms and fundamental rights.

113. Regarding the failure to comply with the obligation to inform individuals, the restricted panel notes that the company uses data obtained massively from data brokers, without notably allowing the individuals concerned to ascertain the source of their information. collection. It recalls that informing people constitutes a fundamental measure enabling them to exercise the rights from which they benefit, and that such a failure is therefore particularly serious. Finally, she emphasizes that this failure appears structural, to the extent that, of the dozens of call recordings provided by the company, none meets the information requirements provided for in Article 14 of the GDPR.

114. The restricted training finally emphasizes the fact that the company HUBSIDE.STORE, as a subsidiary of the company SFK GROUP, has sufficient human, financial and technical resources to ensure compliance with the rules relating to data protection of a personal nature.

115. In view of all of these elements, the restricted panel considers that it is appropriate to impose an administrative fine for breaches of Articles L. 34-5 of the CPCE and 6 and 14 of the GDPR.

116. Secondly, with regard to the amount of the fine, the restricted committee recalls that the violations noted in this case concern breaches of principles likely to be subject to, under Article 83 of the GDPR , an administrative fine of up to 20 million euros or up to 4% of the global annual turnover of the previous financial year, whichever is higher.

117. It considers that the activity of the company and its financial situation must in particular be taken into account. It notes in this regard that the company HUBSIDE.STORE achieved a turnover of more than […] euros for the year 2021, for a profit of more than […] euros. Furthermore, the restricted training notes that the number of HUBSIDE.STORE stores increased from 62 in September 2021 to 97 in May 2023, an increase of 56%.

118. Therefore, with regard to the liability of the company, its financial capacities and the relevant criteria of Article 83, paragraph 2, of the GDPR mentioned above, the restricted panel considers that a fine of five hundred and twenty -five thousand euros (€525,000) appears justified.

119. Thirdly, with regard to the publicity of the sanction, the restricted panel considers that this is justified in view of the seriousness of some of the breaches in question, the position of the company on the market, the scope of processing and number of people affected.

120. It also notes that this measure is intended in particular to inform the people concerned by the company's prospecting operations. This information will allow them, if necessary, to assert their rights.

121. Finally, it considers that this measure is proportionate since the decision will no longer identify the company by name at the end of a period of two years from its publication.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

• impose an administrative fine against the company HUBSIDE.STORE in the amount of five hundred and twenty-five thousand euros (€525,000) for breaches of articles L.34-5 of the postal and electronic communications code and 6 and 14 of the GDPR, which breaks down as follows:

 two hundred thousand euros (€200,000) for breach of article L.34-5 of the postal and electronic communications code;

 three hundred and twenty-five thousand euros (€325,000) for breaches of articles 6 and 14 of the GDPR;

• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer allow the company to be identified by name after a period of two years from its publication.

President

Philippe-Pierre CABOURDIN

This decision may be the subject of an appeal before the Council of State within two months of its notification.